Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-62790
Publication date:
29/10/2025
Wazuh is a free and open source platform used for threat prevention, detection, and response. Prior to 4.11.0, fim_fetch_attributes_state() implementation does not check whether time_string is NULL or not before calling strlen() on it. A compromised agent can cause a crash of analysisd by sending a specially crafted message to the wazuh manager. An attacker who is able to craft and send an agent message to the wazuh manager can cause analysisd to crash and make it unavailable. This vulnerability is fixed in 4.11.0.
Severity CVSS v4.0: MEDIUM
Last modification:
03/11/2025

CVE-2025-62787
Publication date:
29/10/2025
Wazuh is a free and open source platform used for threat prevention, detection, and response. Prior to 4.10.2, a buffer over-read occurs in DecodeWinevt() when child_attr[p]->attributes[j] is accessed, because the corresponding index (j) is incorrect. A compromised agent can cause a READ operation beyond the end of the allocated buffer (which may contain sensitive information) by sending a specially crafted message to the wazuh manager. An attacker who is able to craft and send an agent message to the wazuh manager can cause a buffer over-read and potentially access sensitive data. While the buffer over-read is always triggered while resolving the arguments of mdebug2, specific configuration options (analysisd.debug=2) need to be in place for the respective data to be leaked. This vulnerability is fixed in 4.10.2.
Severity CVSS v4.0: LOW
Last modification:
03/11/2025

CVE-2025-62788
Publication date:
29/10/2025
Wazuh is a free and open source platform used for threat prevention, detection, and response. Prior to 4.11.0, w_copy_event_for_log() references memory (initially allocated in OS_CleanMSG()) after it has been freed. A compromised agent can potentially compromise the integrity of the application by sending a specially crafted message to the wazuh manager. An attacker who is able to craft and send an agent message to the wazuh manager can leverage this issue to potentially compromise the integrity of the application (the use of previously freed memory may corrupt valid data, if the memory area in question has been allocated and used properly elsewhere). This vulnerability is fixed in 4.11.0.
Severity CVSS v4.0: MEDIUM
Last modification:
03/11/2025

CVE-2025-62789
Publication date:
29/10/2025
Wazuh is a free and open source platform used for threat prevention, detection, and response. Prior to 4.11.0, fim_alert() implementation does not check whether the return value of ctime_r is NULL or not before calling strdup() on it. A compromised agent can cause a crash of analysisd by sending a specially crafted message to the wazuh manager. An attacker who is able to craft and send an agent message to the wazuh manager can cause analysisd to crash and make it unavailable. This vulnerability is fixed in 4.11.0.
Severity CVSS v4.0: MEDIUM
Last modification:
03/11/2025

CVE-2025-12479
Publication date:
29/10/2025
Systemic Lack of Cross-Site Request Forgery (CSRF) Token Implementation.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5 .
Severity CVSS v4.0: CRITICAL
Last modification:
07/11/2025

CVE-2025-56558
Publication date:
29/10/2025
The Dyson MQTT server (2022 and possibly later) allows publications and subscriptions by a client that has the correct values of AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN, and device serial number, even if a device (such as a Pure Hot+Cool device) has been removed and is not visible in the supported MyDyson app. This could allow an unexpected actor to obtain control and set the room temperature (up to 37 Celsius) if ownership of the device is transferred without wiping the device. NOTE: the Supplier's position is that this is a potential vulnerability that dates back 4 years ago in 2022 and "we are unable to replicate that anymore." Based on the submitted report, in order to leverage this issue, an attacker needs to own a Dyson device with full privileges, sniff for the AWS credentials, and then transfer ownership of that Dyson device to the victim. Even if these steps were successfully accomplished, the attacker only acquires the ability to configure the Dyson device within its safe operating range, and does not acquire the ability to execute code on the device or obtain sensitive information.
Severity CVSS v4.0: Pending analysis
Last modification:
13/01/2026

CVE-2025-1549
Publication date:
29/10/2025
A local privilege escalation vulnerability in the WatchGuard Mobile VPN with SSL client on Windows enables a local user to execute arbitrary commands with elevated privileges on the Windows system. This vulnerability is an additional unmitigated attack path for CVE-2024-4944.<br /> <br /> <br /> <br /> <br /> <br /> This vulnerability is resolved in the Mobile VPN with SSL client for Windows version 12.11.5
Severity CVSS v4.0: MEDIUM
Last modification:
04/12/2025

CVE-2025-12478
Publication date:
29/10/2025
Non-Compliant TLS Configuration.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5 .
Severity CVSS v4.0: CRITICAL
Last modification:
07/11/2025

CVE-2025-12477
Publication date:
29/10/2025
Server Version Disclosure.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5 .
Severity CVSS v4.0: CRITICAL
Last modification:
07/11/2025

CVE-2025-12476
Publication date:
29/10/2025
Resource Lacking AuthN.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5 .
Severity CVSS v4.0: CRITICAL
Last modification:
07/11/2025

CVE-2025-60898
Publication date:
29/10/2025
An unauthenticated server-side request forgery (SSRF) vulnerability in the Thumbnail via-uri endpoint of Halo CMS 2.21 allows a remote attacker to cause the server to issue HTTP requests to attacker-controlled URLs, including internal addresses. The endpoint performs a server-side GET to a user-supplied URI without adequate allow/blocklist validation and returns a 307 redirect that can disclose internal URLs in the Location header.
Severity CVSS v4.0: Pending analysis
Last modification:
30/10/2025

CVE-2025-60542
Publication date:
29/10/2025
SQL Injection vulnerability in TypeORM before 0.3.26 via crafted request to repository.save or repository.update due to the sqlstring call using stringifyObjects default to false.
Severity CVSS v4.0: Pending analysis
Last modification:
30/10/2025
Subscribe to Vulnerabilities